| Enterprise-Scale Design Principles | ARM Templates | Scale without refactoring |
|---|---|---|
 |
 |
Yes |
The Enterprise-Scale architecture is modular by design and allow organizations to start with foundational landing zones that support their application portfolios, regardless of whether the applications are being migrated or are newly developed and deployed to Azure. The architecture enables organizations to start as small as needed and scale alongside their business requirements regardless of scale point.
This reference implementation is ideal for customers who want to start with Landing Zones for their workload in Azure, where hybrid connectivity to their on-premise datacenter is not required from the start.
If the business requirements changes over time, such as migration of on-prem applications to Azure that requires hybrid connectivity, the architecture allows you to expand and implement networking without refactoring Azure Design with no disruption to what is already in Azure. The Enterprise-Scale architecture allows to create the Connectivity Subscription and place it into the platform Management Group and assign Azure Policies or/and deploy the target networking topology using either Virtual WAN or Hub and Spoke networking topology. For more details, see the next steps section at the end of this document.
To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. See the following instructions on how to grant access before you proceed.
The deployment experience in Azure portal allows you to bring in an existing (preferably empty) subscription dedicated for platform management, and an existing subscription that can be used as the initial landing zone for your applications.
To learn how to create new subscriptions programatically, please visit this link.
To learn how to create new subscriptions using Azure portal, please visit this link.
By default, all recommendations are enabled and you must explicitly disable them if you don't want it to be deployed and configured.
- A scalable Management Group hierarchy aligned to core platform capabilities, allowing you to operationalize at scale using centrally managed Azure RBAC and Azure Policy where platform and workloads have clear separation
- Azure Policies that will enable autonomy for the platform and the landing zones.
- An Azure subscription dedicated for management, which enables core platform capabilities at scale using Azure Policy such as:
- A Log Analytics workspace and an Automation account
- Azure Security Center monitoring
- Azure Security Center (Standard or Free tier)
- Azure Sentinel
- Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics
- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git.
- A landing zone subscription for Azure native, internet-facing applications and Resources, and specific workload Azure Policies such as:
- Enforce VM monitoring (Windows & Linux)
- Enforce VMSS monitoring (Windows & Linux)
- Enforce Azure Arc VM monitoring (Windows & Linux)
- Enforce VM backup (Windows & Linux)
- Enforce secure access (HTTPS) to storage accounts
- Enforce auditing for Azure SQL
- Enforce encryption for Azure SQL
- Prevent IP forwarding
- Prevent inbound RDP from internet
- Ensure subnets are associated with NSG
If you later want to add connectivity to your Enterprise-Scale architecture to support workloads requiring hybrid connectivity, you can:
- Create a new child management group called 'Connectivity' in the Platform management group
- Move/create new subscription into the Connectivity management group
- Deploy your desired networking topology, being VWAN (Microsoft managed) or hub & spoke (customer managed)
- Create new management group (Corp) in the landing zone management group, to separate connected workloads from online workloads.
Optionally, you can enable the above using the following ARM templates:
| Connectivity setup | Description | ARM Template |
|---|---|---|
| Virtual WAN | Deploys requisite infrastructure for on-premises connectivity with Virtual WAN | |
| Hub & Spoke | Deploys requisite infrastructure for on-premises connectivity with Hub & Spoke | |
Once you have deployed the reference implementation, you can create new subscriptions, or move an existing subscriptions to the Landing Zone management group (Online), and finally assign RBAC to the groups/users who should use the landing zones (subscriptions) so they can start deploying their workloads.
Refer to the Create Landing Zone(s) article for guidance to create Landing Zones.